In recent years, with the networking of embedded devices typified by mobile phones, there is an increasing need for them to perform processing relating to information security in order to keep secrecy of data dealt with by an embedded device, to maintain data integrity, and to authenticate the embedded device itself. The processing relating to information security is realized by encryption algorithms and authentication algorithms.
In this case, the basic premise for performing the algorithms is that each embedded device “securely” holds unique secret information and a device-specific identifier (these information are hereafter called “key information”). The term “securely” as used herein indicates that it is difficult for persons other than valid user of the device to read key information or perform tampering.
As a means to securely hold key information, there is a protection method that uses a tamper-resistant mechanism, such as a security chip and a case preventing a fraudulent access from the outside by a physical protective film (metal case, resin mold), while mounting various sensors (optical sensor, voltage sensor, frequency detector). The protection method is a means based on the premise of protecting the key information existing as digital data in a non-volatile manner in the device.
As another method whose approach to securely holding key information is different from that of the means described above, there is a technique referred to as a PUF (Physical Unclonable Function). A large feature of the PUF is that key information is not maintained as digital data in a non-volatile manner in the device. Although there exist some embodiments of the PUF, the conventional technique will be described referring to “Signal Generator Based Device Security” having high general versatility, disclosed in Patent Literature 1, as a representative example.
FIG. 19 shows an embodiment of the PUF according to Patent Literature 1. A bit generator 100 includes ring oscillators 101 composed of N ring oscillators 102 (R0 to RN), a selection circuit 104, and a frequency comparator 107.
The bit generator 100 uses a frequency characteristic of each ring oscillator 102, as an information source of key information. Output signals 103 of the ring oscillators are oscillated by the frequencies each determined based on a delay characteristic of the feedback circuit configuring each ring oscillator. The selection circuit 104 outputs two signals 106 (Si, Sj), as a pair, out of N output signals 103 of the ring oscillators, according to values of selection signals 105 (I, J). Next, oscillation frequencies of Si and Sj are compared in the frequency comparator 107. Then, the frequency comparator 107 outputs a comparison result 108. When expressing the oscillation frequencies of Si and Sj, respectively, as Fi and Fj, a method of using their difference value Fi-Fj as the comparison result 108 can be shown as an example. Finally the bit generator 100 outputs the comparison result 108 and a response bit value 109 indicating whether the comparison result 108 is positive or negative.
In the embodiment of the Patent Literature 1, since oscillation frequencies of the ring oscillators are different from each other depending on variation of the delay characteristic of devices, even if the bit generators 100 are manufactured based on the same design information, response bit values that vary from device to device are output. It is asserted in Patent Literature 1 that, according to the above described, response bit values can be used as identifiers of respective devices, and since the identifiers are not stored as digital data in a non-volatile manner but generated every time the bit generator is operated, they have tamper resistance higher than before.